更新时间:2022年12月17日
文章目录
harbor 简介
harbor 官方github地址:goharbor/harbor )
harbor 官方网站:Harbor (goharbor.io)
harbor 官方文档:https://goharbor.io/docs/
Harbor 是一个是一个用于存储和分发 Docker 镜像的企业级 Registry 服务器,由 VMware 开源,其通过添加一些企业必需的功能特性,例如安全、标识和管理等,扩展了开源 Docker Distribution。作为一个企业级私有 Registry服务器,Harbor 提供了更好的性能和安全。提升用户使用 Registry 构建和运行环境传输镜像的效率。Harbor支持安装在多个 Registry 节点的镜像资源复制,镜像全部保存在私有 Registry 中,确保数据和知识产权在公司内部网络中管控,另外, Harbor 也提供了高级的安全特性,诸如用户管理,访问控制和活动审计等
harbor 安装使用(单机)
准备
Ubuntu 20 主机两台
主机名 | IP | 角色 | 安装服务 |
---|---|---|---|
harbor | 192.168.111.171 | harbor | Docker engine、Docker Compose、harbor |
docker | 192.168.111.188 | docker | Docker engine |
安装前检查
harbor 依赖于 Docker engine 和 Docker Compose,需要先安装这两个组件(安装过程省略)
安装条件详见:Harbor docs | Harbor Installation Prerequisites (goharbor.io)
证书准备
harbor 证书相关配置:Harbor docs | Configure HTTPS Access to Harbor (goharbor.io)
创建 CA 证书
创建CA私钥
root@harbor:~# mkdir -p /etc/pki/tls/
root@harbor:~# openssl genrsa -out /etc/pki/tls/ca.key 4096
创建CA证书
root@harbor:~# openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=KMUST/OU=Personal/CN=skynemo.cn" \
-key /etc/pki/tls/ca.key \
-out /etc/pki/tls/ca.crt
创建 Harbor 密钥证书
创建私钥
root@harbor:~# mkdir -p /etc/harbor/certs
root@harbor:~# openssl genrsa -out /etc/harbor/certs/harbor.skynemo.cn.key 4096
创建证书请求(CSR)
root@harbor:~# openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=KMUST/OU=Personal/CN=harbor.skynemo.cn" \
-key /etc/harbor/certs/harbor.skynemo.cn.key \
-out /etc/harbor/certs/harbor.skynemo.cn.csr
创建 x509 v3 扩展文件
root@harbor:~# cat > /etc/harbor/certs/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=*.skynemo.cn
IP.1=192.168.111.171
EOF
基于扩展文件验证证书
root@harbor:~# openssl x509 -req -sha512 -days 3650 \
-extfile /etc/harbor/certs/v3.ext \
-CA /etc/pki/tls/ca.crt \
-CAkey /etc/pki/tls/ca.key \
-CAcreateserial \
-in /etc/harbor/certs/harbor.skynemo.cn.csr \
-out /etc/harbor/certs/harbor.skynemo.cn.crt
转换证书后缀
# docker daemon 会把 .crt 结尾的证书认为是 CA 的证书,把 .cert 结尾的证书认为是客户端证书
$ openssl x509 -inform PEM -in /etc/harbor/certs/harbor.skynemo.cn.crt -out /etc/harbor/certs/harbor.skynemo.cn.cert
查看生成的证书
[root@harbor ~]# ll /etc/harbor/certs/
total 20
-rw-r--r--. 1 root root 2074 Dec 2 22:13 harbor.skynemo.cn.cert
-rw-r--r--. 1 root root 2074 Dec 2 22:12 harbor.skynemo.cn.crt
-rw-r--r--. 1 root root 1712 Dec 2 22:10 harbor.skynemo.cn.csr
-rw-r--r--. 1 root root 3243 Dec 2 22:10 harbor.skynemo.cn.key
-rw-r--r--. 1 root root 252 Dec 2 22:12 v3.ext
安装
官方安装包下载地址:Releases · goharbor/harbor · GitHub
下载解压
# 下载离线安装包
root@harbor:~# wget https://github.com/goharbor/harbor/releases/download/v2.6.2/harbor-offline-installer-v2.6.2.tgz
# 解压
root@harbor:~# mkdir -p /apps
root@harbor:~# tar -xf harbor-offline-installer-v2.6.2.tgz -C /apps
配置安装
配置
# 创建数据存放目录
root@harbor:~# mkdir -p /data/harbor
root@harbor:~# cd /apps/harbor/
# 修改配置
root@harbor:~/harbor# cp harbor.yml.tmpl harbor.yml
root@harbor:~/harbor# vim harbor.yml
# 修改域名为当前主机或当前主机 IP,需要与颁发证书时设置的一致
hostname: harbor.skynemo.cn
# 指定 harbor 登录 admin 用户的密码
harbor_admin_password: Harbor12345
# 若无证书则需要注释 https 相关配置
# 配置 https 证书
https:
port: 443
certificate: /etc/harbor/certs/harbor.skynemo.cn.cert
private_key: /etc/harbor/certs/harbor.skynemo.cn.key
# 数据存放目录
data_volume: /data/harbor
安装
# 运行 harbor 安装脚本
root@harbor:~/harbor# ./install.sh
....
Creating network "harbor_harbor" with the default driver
Creating harbor-log ... done
Creating harbor-portal ... done
Creating registryctl ... done
Creating harbor-db ... done
Creating redis ... done
Creating registry ... done
Creating harbor-core ... done
Creating nginx ... done
Creating harbor-jobservice ... done
✔ ----Harbor has been installed and started successfully.----
# 安装并开启 Chartmuseum 功能(Helm 仓库)
./install.sh --with-chartmuseum
# 安装成功后,会在 /apps/harbor 目录下生成 docker-compose.yml 配置文件,并自动启动 harbor
# 可以用 docker-compose 命令开启、关闭 harbor
docker-compose -f ./docker-compose.yml up -d
docker-compose -f ./docker-compose.yml down
配置开机自启动
由于 harbor 使用 docker-compose 编排,所以可以通过 docker-compose 设置 harbor 的开机自启动
root@harbor:~# vim /usr/lib/systemd/system/harbor.service
[Unit]
Description=Harbor
After=docker.service systemd-resolved.service
Requires=docker.service
Documentation=https://goharbor.io/
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/docker-compose -f /apps/harbor/docker-compose.yml up -d
ExecStop=/usr/bin/docker-compose -f /apps/harbor/docker-compose.yml down
[Install]
WantedBy=multi-user.target
root@harbor:~# systemctl daemon-reload
root@harbor:~# systemctl enable harbor
查看运行状态
root@harbor:/apps/harbor# docker-compose ls
NAME STATUS CONFIG FILES
harbor running(9) /apps/harbor/docker-compose.yml
root@harbor:/apps/harbor# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1d4221d82d3a goharbor/harbor-jobservice:v2.6.2 "/harbor/entrypoint.…" 52 seconds ago Up 49 seconds (healthy) harbor-jobservice
42c7fed676f0 goharbor/nginx-photon:v2.6.2 "nginx -g 'daemon of…" 52 seconds ago Up 49 seconds (healthy) 0.0.0.0:80->8080/tcp, :::80->8080/tcp, 0.0.0.0:443->8443/tcp, :::443->8443/tcp nginx
d0eb2127e420 goharbor/harbor-core:v2.6.2 "/harbor/entrypoint.…" 52 seconds ago Up 50 seconds (healthy) harbor-core
c3fd31e3977f goharbor/registry-photon:v2.6.2 "/home/harbor/entryp…" 52 seconds ago Up 50 seconds (healthy) registry
d871a6d5b2db goharbor/harbor-registryctl:v2.6.2 "/home/harbor/start.…" 52 seconds ago Up 50 seconds (healthy) registryctl
9929a195a08a goharbor/harbor-db:v2.6.2 "/docker-entrypoint.…" 52 seconds ago Up 50 seconds (healthy) harbor-db
96bd39a0d9f1 goharbor/harbor-portal:v2.6.2 "nginx -g 'daemon of…" 52 seconds ago Up 50 seconds (healthy) harbor-portal
7bd614dc5961 goharbor/redis-photon:v2.6.2 "redis-server /etc/r…" 52 seconds ago Up 50 seconds (healthy) redis
3ec52d5871f4 goharbor/harbor-log:v2.6.2 "/bin/sh -c /usr/loc…" 52 seconds ago Up 51 seconds (healthy) 127.0.0.1:1514->10514/tcp
修改配置
可以使用 prepare
脚本修改配置,脚本运行时会自动应用 harbor.yml
配置文件中的修改,生成 docker-compose.yml
文件,而后重启即可
root@harbor:/apps/harbor# ./prepare
docker-compose -f ./docker-compose.yml down -v
docker-compose -f ./docker-compose.yml up -d
使用 harbor
登录 web 页面
用户名为 admin
,密码默认为 harbor.yml
中配置的密码
创建项目
harbor上必须先创建项目,才能够上传镜像
docker 客户端登录
客户端登录只需要一个文件:CA证书(ca.crt)或域名证书(域名.crt)
但如果路径下存在私钥,则至少需要三个文件:
- CA证书(ca.crt)或域名证书(域名.crt)
- 证书:xx.cert
- 证书对应的私钥:xx.key
复制证书文件
# 创建证书存放目录< /etc/docker/certs.d/域名:端口 >端口为 443 时(默认)可以省略
root@docker:~# mkdir -p /etc/docker/certs.d/harbor.skynemo.cn
# 拷贝CA证书
root@docker:~# scp 192.168.111.171:/etc/pki/tls/ca.crt /etc/docker/certs.d/harbor.skynemo.cn/ca.crt
# 或者 拷贝harbor服务证书
root@docker:~# scp 192.168.111.171:/etc/harbor/certs/harbor.skynemo.cn.crt /etc/docker/certs.d/harbor.skynemo.cn/harbor.skynemo.cn.crt
root@docker:~# scp 192.168.111.171:/etc/harbor/certs/harbor.skynemo.cn.cert /etc/docker/certs.d/harbor.skynemo.cn/
root@docker:~# scp 192.168.111.171:/etc/harbor/certs/harbor.skynemo.cn.key /etc/docker/certs.d/harbor.skynemo.cn/
[root@docker ~]# ll /etc/docker/certs.d/harbor.skynemo.cn/
total 12
-rw-r--r--. 1 root root 2025 Dec 2 23:41 ca.crt
-rw-r--r--. 1 root root 2074 Dec 2 23:52 harbor.skynemo.cn.cert
-rw-r--r--. 1 root root 3243 Dec 2 23:50 harbor.skynemo.cn.key
# 添加域名解析
root@docker:~# echo "192.168.111.171 harbor.skynemo.cn" >> /etc/hosts
# 登录
root@docker:~# docker login -u admin harbor.skynemo.cn
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
镜像打标签并上传
root@docker:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest c059bfaa849c 2 months ago 5.59MB
# 打标签
root@docker:~# docker tag alpine:latest harbor.nemo.cn/example/my-alpine:v1.0
root@docker:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest c059bfaa849c 2 months ago 5.59MB
harbor.nemo.cn/example/my-alpine v1.0 c059bfaa849c 2 months ago 5.59MB
# 上传镜像
root@docker:~# docker push harbor.nemo.cn/example/my-alpine:v1.0
The push refers to repository [harbor.nemo.cn/example/my-alpine]
8d3ac3489996: Pushed
v1.0: digest: sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3 size: 528
web 页面查看镜像
拉取镜像并启动容器
root@docker:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
# 拉取镜像
root@docker:~# docker pull harbor.nemo.cn/example/my-alpine:v1.0
v1.0: Pulling from example/my-alpine
59bf1c3509f3: Pull complete
Digest: sha256:e7d88de73db3d3fd9b2d63aa7f447a10fd0220b7cbf39803c803f2af9ba256b3
Status: Downloaded newer image for harbor.nemo.cn/example/my-alpine:v1.0
harbor.nemo.cn/example/my-alpine:v1.0
root@docker:~# docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.nemo.cn/example/my-alpine v1.0 c059bfaa849c 2 months ago 5.59MB
# 运行容器
root@docker:~# docker run -it --rm harbor.nemo.cn/example/my-alpine:v1.0 sh
/ #
harbor 高可用(双向同步方式)
Harbor 支持基于策略的 Docker 镜像复制功能,类似于 MySQL 的主从同步。可以实现不同的数据中心、不同的运行环境之间同步镜像,提供友好的管理界面,并且还有实现了双向复制功能,大大简化了实际运维中的镜像管理工作
高可用实现方式
准备
主机 | 系统 | IP | 安装服务 |
---|---|---|---|
haproxy-1.skynemo.cn | Rocky Linux 8.7 | 192.168.111.186 | haproxy 2.6 keepalived 2.2.7 |
haproxy-2.skynemo.cn | Rocky Linux 8.7 | 192.168.111.187 | haproxy 2.6 keepalived 2.2.7 |
harbor-1.skynemo.cn | Rocky Linux 8.7 | 192.168.111.188 | docker 20.10.21 docker compose 2.12.2 harbor 2.6.2 |
harbor-2.skynemo.cn | Rocky Linux 8.7 | 192.168.111.189 | docker 20.10.21 docker compose 2.12.2 harbor 2.6.2 |
client.skynemo.cn | Rocky Linux 8.7 | 192.168.111.181 | docker 20.10.21 containerd 1.6.12 |
安装 haproxy 和 harbor 过程省略
拓扑
证书准备和配置
任意一台主机操作即可,证书生成后再拷贝到需要的主机
创建 CA 证书
创建相关目录和文件
# 创建 CA 相关目录
$ mkdir -p /security/CA/{certs,crl,private}
# 指定第一个证书的序列号
$ echo 01 > /security/CA/ca.srl
创建 CA 私钥
$ openssl genrsa -out /security/CA/private/ca.key 4096
创建 CA 证书
$ openssl req -x509 -new -nodes -sha512 -days 3650 \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=KMUST/OU=Personal/CN=skynemo.cn" \
-key /security/CA/private/ca.key \
-out /security/CA/ca.crt
复制 CA 证书到两台 haproxy 上
# 创建 CA 证书存放路径
mkdir -p /security/CA/{certs,crl,private}
# 复制证书
scp /security/CA/ca.crt 192.168.111.186:/security/CA/ca.crt
scp /security/CA/ca.crt 192.168.111.187:/security/CA/ca.crt
复制 CA 证书到两台 Docker 客户端主机上
# 创建证书存放路径,需要与域名对应
mkdir -p /etc/docker/certs.d/harbor.skynemo.cn/
# 复制证书
scp /security/CA/ca.crt 192.168.111.181:/etc/docker/certs.d/harbor.skynemo.cn/ca.crt
创建 haproxy 服务证书
创建相关目录
$ mkdir -p /security/haproxy
创建私钥
$ openssl genrsa -out /security/haproxy/harbor.skynemo.cn.key 4096
创建证书请求(CSR)
$ openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=KMUST/OU=Personal/CN=harbor.skynemo.cn" \
-key /security/haproxy/harbor.skynemo.cn.key \
-out /security/haproxy/harbor.skynemo.cn.csr
创建 x509 v3 扩展文件
$ cat > /security/haproxy/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=*.skynemo.cn
EOF
基于扩展文件验证证书
$ openssl x509 -req -sha512 -days 3650 \
-extfile /security/haproxy/v3.ext \
-CA /security/CA/ca.crt \
-CAkey /security/CA/private/ca.key \
-CAserial /security/CA/ca.srl \
-in /security/haproxy/harbor.skynemo.cn.csr \
-out /security/CA/certs/harbor.skynemo.cn.crt
合并私钥以及证书
$ cat /security/haproxy/harbor.skynemo.cn.key /security/CA/certs/harbor.skynemo.cn.crt >> /security/CA/certs/harbor.skynemo.cn.pem
复制 pem 到两台 haproxy
# haproxy 上创建证书存放目录
$ mkdir -p /apps/haproxy/conf/certs
# 复制
$ scp /security/CA/certs/harbor.skynemo.cn.pem 192.168.111.186:/apps/haproxy/conf/certs/harbor.skynemo.cn.pem
$ scp /security/CA/certs/harbor.skynemo.cn.pem 192.168.111.187:/apps/haproxy/conf/certs/harbor.skynemo.cn.pem
创建 habor 服务证书
创建相关目录
$ mkdir -p /security/harbor/
创建私钥
$ openssl genrsa -out /security/harbor/r_harbor.skynemo.cn.key 4096
创建证书请求(CSR)
$ openssl req -sha512 -new \
-subj "/C=CN/ST=Shanghai/L=Shanghai/O=KMUST/OU=Personal/CN=harbor.skynemo.cn" \
-key /security/harbor/r_harbor.skynemo.cn.key \
-out /security/harbor/r_harbor.skynemo.cn.csr
创建 x509 v3扩展文件
# 注意域名和 IP 必须配置正确,否则会导致两个 harbor 无法相互连接
$ cat > /security/harbor/v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=*.skynemo.cn
IP.1=192.168.111.188
IP.2=192.168.111.189
EOF
基于扩展文件验证证书
$ openssl x509 -req -sha512 -days 3650 \
-extfile /security/harbor/v3.ext \
-CA /security/CA/ca.crt \
-CAkey /security/CA/private/ca.key \
-CAserial /security/CA/ca.srl \
-in /security/harbor/r_harbor.skynemo.cn.csr \
-out /security/CA/certs/r_harbor.skynemo.cn.crt
复制证书到两台 harbor 主机
# 两台 harbor 主机上创建证书存放目录
$ mkdir -p /etc/harbor/certs/
# 拷贝证书到两个 harbor 主机
$ scp /security/CA/certs/r_harbor.skynemo.cn.crt 192.168.111.188:/etc/harbor/certs/r_harbor.skynemo.cn.crt
$ scp /security/harbor/r_harbor.skynemo.cn.key 192.168.111.188:/etc/harbor/certs/r_harbor.skynemo.cn.key
$ scp /security/CA/certs/r_harbor.skynemo.cn.crt 192.168.111.189:/etc/harbor/certs/r_harbor.skynemo.cn.crt
$ scp /security/harbor/r_harbor.skynemo.cn.key 192.168.111.189:/etc/harbor/certs/r_harbor.skynemo.cn.key
harbor 配置
证书配置
# 配置证书路径
$ vim /apps/harbor/harbor.yml
# hostname 需要配置为当前主机 IP 或主机名(此处为 192.168.111.188 和 192.168.111.189 ),若使用主机名,需要配置解析
hostname: 192.168.111.188
https:
port: 443
certificate: /etc/harbor/certs/r_harbor.skynemo.cn.crt
private_key: /etc/harbor/certs/r_harbor.skynemo.cn.key
# 生成 harbo 配置文件
$ cd /apps/harbor/ && ./prepare
# 重启 harbor 使配置生效
$ systemctl restart harbor
web界面配置
harbor-1 配置
新建项目(与另一台 harbor 项目须同名)
进入项目检验信息是否正常
新建目标,配置目标为另一台harbor
配置复制规则
harbor-2 配置(与 harbor-1 类似)
新建项目(与另一台harbor项目须同名)
进入项目检验信息是否正常
新建目标,配置目标为另一台 harbor
配置复制规则
其他配置
haproxy 配置
两台 haproxy 配置一致
$ vim /etc/haproxy/haproxy.cfg
global
maxconn 100000
chroot /apps/haproxy/empty
stats socket /var/lib/haproxy/haproxy.sock mode 600 level admin
user haproxy
group haproxy
daemon
pidfile /var/lib/haproxy/haproxy.pid
log 127.0.0.1 local2 info
defaults
option http-keep-alive
option forwardfor
maxconn 100000
mode http
timeout connect 300000ms
timeout client 300000ms
timeout server 300000ms
# errorfile 404 /etc/haproxy/errors/404.http
listen stats
mode http
bind 192.168.111.253:9999
log global
stats enable
stats hide-version
stats uri /haproxy-status # haproxy 状态页 URL
stats realm HAProxy\ Statistics
stats auth haadmin:520123 # Haproxy 状态页用户名/密码
stats refresh 30s
frontend harbor.skynemo.com
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /apps/haproxy/conf/certs/harbor.skynemo.cn.pem
http-request redirect scheme https unless { ssl_fc }
default_backend harbor_servers
backend harbor_servers
mode http
# 必须配置为source算法,否则无法正常登录
balance source
hash-type consistent
# 不验证证书
# server harbor-1 192.168.1.201:443 check inter 3000 fall 3 rise 5 ssl verify none
# 使用ca证书验证
server harbor-1 192.168.111.188:443 check inter 3000 fall 3 rise 5 ssl ca-file /security/CA/ca.crt
server harbor-2 192.168.111.189:443 check inter 3000 fall 3 rise 5 ssl ca-file /security/CA/ca.crt
# 重启haproxy使配置生效
$ systemctl restart haproxy
Keepalived 配置
两个节点的 Keepalived 配置只有 route_id 不一样
节点 haproxy-1 的 Keepalived 配置
$ cat /etc/keepalived/keepalived.conf
# 全局配置
global_defs {
# 当前节点唯一标识
route_id KA-HA-VS-1
vrrp_skip_check_adv_addr
}
# 定义 vrrp_script
vrrp_script check_haproxy {
script "/etc/keepalived/check_script/check_haproxy.sh"
interval 2
weight 10
rise 3
fall 2
# 执行脚本或命令的用户和用户组
user haproxy haproxy
}
# 定义 vrrp_instance
vrrp_instance VI_HAPROXY {
state BACKUP
# 心跳网口
interface ens160
# 虚拟路由器 ID
virtual_router_id 253
# 初始优先级
priority 50
# vrrp 通告时间间隔(心跳检测间隔时间)
advert_int 1
# vrrp 通告认证
authentication {
auth_type PASS
auth_pass 1234
}
# 虚拟 IP 配置,可配置多个
virtual_ipaddress {
192.168.111.253/24 dev ens160 label ens160:0
}
# 调用 vrrp_script
track_script {
check_haproxy
}
}
节点 haproxy-2 的 Keepalived 配置
$ cat /etc/keepalived/keepalived.conf
# 全局配置
global_defs {
# 当前节点唯一标识
route_id KA-HA-VS-2
vrrp_skip_check_adv_addr
}
# 定义 vrrp_script
vrrp_script check_haproxy {
script "/etc/keepalived/check_script/check_haproxy.sh"
interval 2
weight 10
rise 3
fall 2
# 执行脚本或命令的用户和用户组
user haproxy haproxy
}
# 定义 vrrp_instance
vrrp_instance VI_HAPROXY {
state BACKUP
# 心跳网口
interface ens160
# 虚拟路由器 ID
virtual_router_id 253
# 初始优先级
priority 50
# vrrp 通告时间间隔(心跳检测间隔时间)
advert_int 1
# vrrp 通告认证
authentication {
auth_type PASS
auth_pass 1234
}
# 虚拟 IP 配置,可配置多个
virtual_ipaddress {
192.168.111.253/24 dev ens160 label ens160:0
}
# 调用 vrrp_script
track_script {
check_haproxy
}
}
检查脚本配置
$ cat /etc/keepalived/check_script/check_haproxy.sh
#!/bin/bash
# 此处仅用进程判断,生产环境请根据需要编写脚本
# 过滤 haproxy 的进程
/usr/bin/pgrep -f haproxy -l | /usr/bin/grep -v 'check' &> /dev/null
if [ $? -eq 0 ];then
HAPROXY_STATUS=0
else
HAPROXY_STATUS=1
fi
exit ${HAPROXY_STATUS}
Docker 使用测试
Docker 客户端配置
# 拷贝证书文件,生成证书时已经拷贝
# 添加域名解析
$ echo "192.168.111.253 harbor.skynemo.cn" >> /etc/hosts
登录
$ docker login -u admin harbor.skynemo.cn
Password:
WARNING! Your password will be stored unencrypted in /root/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
镜像打标签并上传
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 49176f190c7e 3 weeks ago 7.05MB
# 打标签
$ docker tag alpine:latest harbor.skynemo.cn/example/my-alpine:v1.0
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 49176f190c7e 3 weeks ago 7.05MB
harbor.skynemo.cn/example/my-alpine v1.0 49176f190c7e 3 weeks ago 7.05MB
# 上传镜像
$ docker push harbor.skynemo.cn/example/my-alpine:v1.0
web 页面查看两台 harbor 镜像是否同步
拉取镜像并启动容器
# 清空镜像
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
# 拉取镜像
$ docker pull harbor.skynemo.cn/example/my-alpine:v1.0
v1.0: Pulling from example/my-alpine
c158987b0551: Pull complete
Digest: sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c
Status: Downloaded newer image for harbor.skynemo.cn/example/my-alpine:v1.0
harbor.skynemo.cn/example/my-alpine:v1.0
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
harbor.skynemo.cn/example/my-alpine v1.0 c059bfaa849c 2 months ago 5.59MB
# 运行容器
$ docker run -it --rm harbor.skynemo.cn/example/my-alpine:v1.0 sh
/ #
Containerd 使用测试
添加域名解析
# 添加域名解析
$ echo "192.168.111.253 harbor.skynemo.cn" >> /etc/hosts
复制 ca 证书
# 创建目录,无需与域名对应
$ mkdir -p /etc/containerd/certs.d/harbor.skynemo.cn/
# 复制证书
$ scp /security/CA/ca.crt 192.168.111.181:/etc/containerd/certs.d/harbor.skynemo.cn/ca.crt
配置私有仓库
# 主要的仓库配置如下
vim /etc/containerd/config.toml
......
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
endpoint = ["https://sqr9a2ic.mirror.aliyuncs.com"]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors."harbor.skynemo.cn"]
endpoint = ["https://harbor.skynemo.cn/v2/"]
[plugins."io.containerd.grpc.v1.cri".registry.configs]
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.skynemo.cn".tls]
insecure_skip_verify = false
ca_file = "/etc/containerd/certs.d/harbor.skynemo.cn/ca.crt"
[plugins."io.containerd.grpc.v1.cri".registry.configs."harbor.skynemo.cn".auth]
username = "admin"
password = "Harbor12345"
......
下载镜像并启动容器
# 下载镜像
$ nerdctl pull harbor.skynemo.cn/example/my-alpine:v1.0
harbor.skynemo.cn/example/my-alpine:v1.0: resolved |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:c0d488a800e4127c334ad20d61d7bc21b4097540327217dfab52262adc02380c: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:49176f190c7e9cdb51ac85ab6c6d5e4512352218190cd69b08e6fd803ffbf3da: done |++++++++++++++++++++++++++++++++++++++|
layer-sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 0.4 s total: 3.2 Mi (7.8 MiB/s)
# 启动容器
$ nerdctl run -it --name alpine harbor.skynemo.cn/example/my-alpine:v1.0
/ #
/ #